Metadata Encryption – Underestimated Riches for Cyber-Criminals

Despite the common myth, metadata (data about data) is sensitive information. It is the most under-estimated source of data breach riches for cyber-criminals; especially in a world where Big Data analytics and machine learning benefit hackers as much as legitimate users.

In a recent post “Identifying People by Metadata”, data security expert Bruce Schneier highlights a research paper by Beatrice Perez, Mirco Musolesi, and Gianluca Stringhini.

In the paper itself, researchers report the ability to identify an individual user within a 10,000 strong sample with 96.7% accuracy. They also explore the ineffectiveness of data perturbation or obfuscation when it comes to metadata.

Data security policy makers have been eager to convince the public that government obtained metadata doesn’t pose a security risk. However, as we’ve seen in recent months, a metadata breach can be far from benign. Data about data may be just as sensitive as the data itself.

Organisations that gather, store and process metadata should employ cyber-security best-practice and ensure the metadata is encrypted, both at rest and in motion (for example, to, from and between data centres). Failure to do so could have serious consequences for both the data subjects and processors.

On May 1st, 2017 Australia’s first metadata breach was reported – occurring just two weeks after the Australian metadata retention laws came into effect. Somewhat embarrassingly, the breach was of metadata held by the Australian Federal Police.

Government and legislative assurances that metadata is not “sensitive” nor personally identifiable reveal either naivety or ignorance of the reality of Big Data analytics. A properly motivated or skilled data analyst can extract a wealth of exploitable information from metadata.

If the Australian government doesn’t classify metadata as sensitive, and deserving of encryption security, it begs the question; who else is overlooking the importance of metadata?

What’s New

Senetas is a leading developer of encryption security solutions; trusted to protect enterprise, government, defence, Cloud and service provider data in over 35 countries. From certified high-assurance hardware, and virtualized encryption, to secure file sharing with data sovereignty control, all are based on the same crypto-agile platform and deliver security without compromise.